Closed davidoskky closed 1 year ago
jtojnar
commented
2 years ago Hmm, looks like the API docs are outdated, I would recommend always using POST /login and then using cookies for successive requests. That is what the official JavaScript client does.
davidoskky
commented
2 years ago Which one is the first API version that allows using POST requests? By cookie you mean the PHPSESSID?
jtojnar
commented
2 years ago Which one is the first API version that allows using POST requests?
It is supported since selfoss 2.18, the API was not versioned then.
By cookie you mean the PHPSESSID?
Right. I previously considered creating a custom token for apps but session cookies do essentially the same while being inherently more secure.
jtojnar
commented
1 year ago I have updated the docs in https://github.com/fossar/selfoss/commit/631f30b69e0f14194ae2321cc42e2977220edf34.
I was thinking about the login procedure of the api. The username and password are sent in plain text through a GET request every time the user logs in or executes one of the following operations:
Now, this doesn't appear to me like a huge problem since I doubt people store a lot of sensitive information on their selfoss instance or that they'll have huge problems if someone deletes sources/reads articles for them after getting access.
However, this might be fixed. As far as I understand it, the parameters of GET requests are stored in the server logs; which might be a problem when using shared hosting since the owner of the server might read the logs and gain your login information. As I understand it this does not happen with POST requests thus those could be used for the api. Alternatively a temporary key obtained through the login request might be used for successive operations, but this would still not solve the problem itself but just limit the timespan.